Problem

For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered. The following scenarios are known:

A parameter value included in the construction of a <s:a> result can inject an unescaped double quote, thus being able to inject code in the resulting HTML by escaping the rendered href attribute.

Both the <s:url> and the <s:a> tag fail to escape <script> tags when includeParams is set to any other value than "none", which can be exploited by calling the containing JSP/action with GET parameters such as http://localhost/foo/bar.action?<script>alert(1)</script>test=hello

Solution

As of Struts 2.0.11.1

Double quotes do get escaped for parameter values used to constuct the output of a <s:a> tag

<script> tokens do get recursively escaped for parameter values used to contruct the output of <s:a> and <s:url> tags

You can obtain Struts 2.0.11.1 as a drop in replacement for Struts 2.0.11 to get the fixed Struts 2 core library.